Petya ransomware unleashes havoc, raises alarm worldwide

Petya, a ransomware variant, has swept across the globe and impacted a wide range of industries, organisations and government agencies. Security researchers have warned that it 'will almost certainly be bigger' than the recent WannaCry ransomware attack because it is 'more sophisticated' - and there is no way to kill the virus.

According to Digital Shadows the malware itself appears to be a straightforward ransomware program but once infected, the virus encrypts each computer to a private key, rendering it unusable until the system is decrypted.

"The program then instructs the user to pay the $300 ransom to a static Bitcoin address, then email the bitcoin wallet and personal ID to the email address, which is now blocked," the company states.

Digital Shadows is warning businesses impacted by Petya not to pay the US$300 bitcoin fee as Posteo administrators have disconnected the email address associated with paying the ransomware to get unlock keys for impacted systems.

READ MORE

"It means that if anyone paying the ransom to unencrypt their files tries to do so, the criminals who distributed the attack are unable to access the bitcoin account the ransom goes to; so they will not be able to release the keys for the encrypted files – even if they ever intended to do so," says Becky Pinkard, Vice President, Service Delivery and Intelligence Operations, Digital Shadows.

Pinkard explains that there is some confusion over the origins and nature of Petya, with some reports suggesting there are similarities to WannaCry and that it utilises the #ETERNALBLUE SMBv1 worm functionality.

"More work is needed to investigate the way the virus propagates; in the meantime businesses are urged to ensure their software is up-to-date and all files backed up," Pinkard adds.

Ransomworm

Cyber security and solutions firm Fortinet believes Petya is part of a new wave of multi-vector ransomware attacks that the company calls 'ransomworm', which takes advantage of timely exploits.

According to Fortinet the ransomworm is designed to move across multiple systems automatically, rather than stay in one place.

"It appears that the Petya ransomworm is using similar current vulnerabilities that were exploited during the recent Wannacry attack. This variant, however, rather than focusing on a single organisation, uses a broad-brush approach that targets any device it can find that its attached worm is able to exploit. It appears that this attack started with the distribution of an Excel document that exploits a known Microsoft Office exploit. Because additional attack vectors were used in this exploit, patching alone would have been inadequate to completely stop this exploit, which means that patching needs to be combined with good security tools and practices," the company adds.

Digital security and antivirus solutions company ESET says the outbreak appears to have started in Ukraine, where reports indicate that the financial sector, energy sector and numerous other industries have been hit.

The company says it appears that the version of Petya uses a combination of the SMB exploit (EternalBlue) used by WannaCry for getting inside the network and then spreading through PsExec for spreading within the network.

"This dangerous combination may be the reason why this outbreak has spread globally and rapidly, even after the previous outbreaks have generated media headlines and hopefully, most vulnerabilities have been patched. It only takes one unpatched computer to get inside the network, and the malware can get administrator rights and spread to other computers," the company states.

In a further update from ESET, the company add: "ESET researchers have located the point from which this global epidemic has all started. Attackers have successfully compromised the accounting software M.E.Doc, popular across various industries in Ukraine, including financial institutions. Several of them executed a trojanised update of M.E.Doc, which allowed attackers to launch the massive ransomware campaign."

Spreading fast

Maya Horowitz, Threat Intelligence Group Manager for Check Point, said: "This appears to be a new version of the Petya ransomware, which first appeared in March 2016, and it's spreading fast globally by moving across business networks in the same way that 'WannaCry' did last month.

"Unlike other ransomware types, Petya does not encrypt files on infected machines one by one, instead it locks up the entire hard disk drive. To protect themselves, organisations should apply the latest Microsoft security patches immediately, and disable the SMBv1 file-sharing protocol on their Windows systems.

Horowitz added, "Organisations also need to be able to prevent infections taking hold in the first place, by scanning for, blocking and filtering out suspicious files content before it reaches their networks. It's also essential that staff are educated about the potential risks of incoming emails from unknown parties, or suspicious-looking emails that appear to come from known contacts."

In May this year, South Africa, Ivory Coast and Nigeria were identified as top targets for the WannaCry ransomware campaign in Africa, according to research by Fortinet.

Data sourced by Simon Bryden, Consulting Systems Engineer at Fortinet, suggested that after South Africa and the Ivory Coast, Nigeria, Egypt and Algeria were also key targets.